With the technological advancements that are rapidly taking control over the world, we are progressing towards an era where absolutely anything and everything is bound by technology. Most valuable or confidential information is either stored in computers, computer-based systems, or other digital storage devices, which has led to the exponential growth of digital or cybercrimes. As a result, there surfaced the need for a forensic discipline to investigate such computer-based crimes. This gave rise to the discipline of Computer Forensics which emerged as a branch of Digital Forensic Science, to analyze digital media in order to locate, preserve, collect, interpret and present information and observations on digital content.
What is Computer Forensics?
Forensics is the practice of using analytical expertise to gather, examine, and present evidence to the courts. The word “Forensics”, which has a Latin origin, has the meaning, “to bring to the court”. Forensics primarily concerns the retrieval and the processing of evidence such as fingerprints, footprints, tire tracks and traces of bodily fluids found at crime scenes.
Computer Forensics is the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.
At present, there are so many different digital devices and media, that the science of Computer Forensics can be further divided into many different types. Computer forensics has advanced dramatically over the years in order to address the obstacles posed by the relentless technical growth, resulting in the emergence of new types. According to forensic targets or digital technologies used in an investigation, in particular from the technological side of the crime as well as forms of digital evidence that investigators are interested in discovering, Computer Forensics involves many sub-branches such as File System Forensics, Memory Forensics, Multimedia Forensics, Network Forensics, Database Forensics, Malware Forensics, Mobile Device Forensics, Email Forensics, Firewall Forensics and Financial Forensics.
The aim of computer forensics is to perform a systematic investigation by keeping a detailed chain of evidence to figure out precisely what occurred on a digital system and who or what was accountable for it. Typically, this discipline deals with computers, embedded systems (digital systems with limited processing power and onboard memory) and static memory (such as USB flash drives) and covers a wide variety of information; from logs (such as site history) to the actual files and individual data on the drive.
A Brief History of Computer Forensics
In the early 1980s, as the use of personal computers became more widespread among users, it led to the expanded use of them to commit illegal acts. Around the same time, some novel forms of computer crimes were identified. As a result, the field of computer forensics arose as a technique for retrieving and analyzing digital evidence to be used in court. Ever since, the frequency of computer-based crimes has begun to rise, causing the field of Computer Forensics to advance rapidly. Today, Computer Forensics is being used in many different areas of criminal investigations and is a popular prosecution technique of a wide variety of offenses, including child pornography, theft, terrorism, cyber-slaughter, murder, etc.
How is a Computer Forensics Investigation carried out?
A forensic investigation will be conducted every time a crime happens. A major part of the investigation is to secure the crime scene; another is to collect all information that may justify what happened at the crime scene, and lead to the perpetrator being charged and convicted. Forensic evidence is required to conclude an investigation; securing the crime scene is necessary to gather evidence, because certain information is delicate, unstable or otherwise easy to alter, which can greatly hinder the investigation. In the context of computer-based crimes, a special type of forensic evidence called ‘Digital Evidence’ is gathered. Digital Evidence is defined as, “Any information that is stored or transmitted in a machine-readable form, and maintains enough integrity and legitimacy to be used in a court of law.” When collecting digital evidence, it is essential to have an understanding of the kind of potential evidence being searched for, in order to organize the search. The investigator must choose the appropriate tools to be used. Since files may have been erased, harmed, or encrypted, an array of techniques and software must be familiar to the investigator to prevent further damage in the recovery process. A Computer Forensics Investigation process has the stages; Acquisition, Identification, Evaluation, and Admission.
There are two major types of data that are acquired in Computer Forensics investigations; Persistent data and Volatile data. Persistent data is the data that is stored on the local hard drive and preserved even when the device is switched off. Volatile data is the type of data that resides in registries, cache, and Random Access Memory (RAM) that is lost when the computer loses power or is switched off. Since volatile data is short-lived, it is important that an investigator identifies accurate ways of collecting it. Investigations in computer forensics then follow through many steps, in order to structure and evaluate the criminal hypothesis. Then, Computer Forensic investigators search for useful digital evidence in the data gathered. There are a variety of techniques used by them to uncover information and help solve a computer-based crime. Data acquisition, disk volume analysis, data recovery, keyword search, hidden data detection, timeline analysis, reverse engineering, multimedia forensic analysis and tracing of IP address are some of the most commonly used techniques. However, as the technology continues to evolve, becoming ubiquitous in our daily lives, so too do the ways in which it is utilized commit crime and so too must Computer Forensics techniques, to counterbalance the adverse effects.
In the Evaluation stage, investigators form many hypotheses based on the evidence obtained in the previous stages regarding what took place at the crime scene and who may be responsible for it and determine how this evidence could be used against the suspect for prosecution in court. Further evaluation will lead to the disproving of incorrect hypotheses while one (or few) will be proven entirely.
Finally, in the Admission stage, the investigators prepare reports to communicate their findings to the appropriate audience. When a forensic investigator is expected to provide testimony, the judge and jury must be persuaded that the conclusions of an investigator are accurate, and in most cases, certain members of the court are not adequately competent in using technology to grasp clearly the implications that digital evidence may bring. Thus, the terminology used in the report, and how it is written, often plays very important roles in the success of a prosecutor’s case.
During a Computer Forensic investigation, the investigators should refrain from altering data (dates, times, etc.) and overwriting of unallocated space which can occur on rebooting, in order to carry out a clean investigation without any complications.
A sound Computer Forensic investigator should not only be knowledgeable and skillful in computer technology and software programming, but should also possess a natural curiosity for figuring out puzzles and solving problems. Strong communication skills and knowledge in using various Computer Forensic tools are also required for Computer Forensic investigators.
Why is Computer Forensics Important?
Digital devices such as mobile phones, PDAs, tablets, desktops and many other tools for data storage pervade several facets of life in today’s society; several include far more data than most people are aware of. The digitization of data and its associated ease of recording, retrieval and communication have in many ways reshaped our lives. Unfortunately, the dawn of the digital age has also given rise to computer crimes where criminals use digital technology in the conduct of illicit acts such as hacking, identity stealing, financial fraud, malfeasance, child trafficking,robbery of trade secrets, etc. As a result, prosecutors are constantly forced to inspect digital media for data evidence, including documents, images, video, text messages, transaction log files, etc., that can help recreate a crime and locate the suspect. Computer forensics is a vitally important part of law enforcement investigations. Computer forensics can enhance device security by imitating or analyzing the manner in which attacks are carried out. It is a great support in solving crimes and prosecuting events.
Computer forensics has progressed tremendously with the advent of technology. Over the past few years, handheld computing devices such as smartphones and laptops have been commonly used and were increasingly relied upon as primary computing devices rather than secondary, complementary computing devices because of their growing processing capabilities. As a result, more and more information is being stored and saved in mobile devices, which makes them potential targets for perpetrators. As a result, the word ‘Computer Forensics’ has extended to include all devices capable of processing digital evidence, including mobile phones and laptops to GPS and mp3 players.
For several purposes, Computer Forensics is important because it facilitates data recovery, device recovery, volatile memory analysis, and many other useful services, while also offering mechanisms to preserve the integrity of digital information, which is crucial if it is to be used in court. Needless to mention, Computer Forensics is most notable for its involvement in court proceedings involving digital evidence. Thus, failing to practice Computer Forensics correctly will risk destroying vital evidence or will lead to evidence ruled inadmissible in a court of law.
Computer Forensics can help save an organization’s money by ensuring the overall safety and longevity of the network infrastructure of the organization.
From a more technological perspective, Computer Forensics helps to locate, capture, preserve and interpret data in a fashion that maintains the credibility of the captured information, so that it can be used efficiently in a court case.
As much as the dawn of the digital age has improved our quality of life, it has also offered a golden opportunity for abusers of technology looking to maximize their profits illicitly. As cybercrimes have become a rampant reality, prosecutors need to be able to do much more than finding suspects and matching them to a crime; they must be able to produce convincing digital evidence in a court of law in order to punish the criminals. Thus, as long as technology continues to advance, the science of Computer Forensics will continue to expand and increase in demand because the law will require the assistance of Computer Forensics, to deal with each new wave of cybercrimes.
Introductory Computer Forensics: A Hands-on Practical Approach